4

Suppose I have created a web service (DataOperation.asmx) within my web application. Now I am calling this webservice through my .aspx page using JQuery. like: 

$.ajax({ 
type: "POST", 
url: "../../DataOperation.asmx/someMethod", 
cache: false, 
data: "param1=" + p1, 
async: false, 
success: function(msg) { 

} 
});

Now my question is, if anyone see this webservice name and webmethod name by investigating the html page source code, then he can use it from anywhere and can put some malicious entry by calling this web services. So how should I protect this web services from others and at the same time I should be able to use it with JQuery/Javascript calls.

Anyone knows the answer would be appreciated.

Regards, Haidar

Improve this question
3
  • Are your aspx and asmx pages being served from the same web application? Commented Jun 23, 2011 at 15:49
  • Yes, it is served at the same web application. Commented Jun 25, 2011 at 8:38
  • Never use synchronous XHR (async:false). It's terrible user experience, and there's no valid reason to use use it. Commented Jun 28, 2012 at 14:50

2 Answers 2

Reset to default
2

The scenario is we have SOA Suite installed at our end and we have deployed a process which is accessible via

http://host:port/service/someService

Now our requirement is how to secure this link that is call the service using https so the new request should appear like

https://host:port/service/someService

Again i would like you all to go through this link to get some idea on key and certificate.

http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html

BAsed on this note i will generate a key

OPen a command window and navigate till jdk/bin directory and issue a command

keytool -genkey -alias arpit -server -dname "CN=Arpit, OU=Integration O=Oracle L=Bangalore, S=Karnataka, C=IN" -keyalg RSA -keypass welcome1 -storepass welcome1 -keystore arpit.keystore

It should be like

Once you will execute this command you will find a key with name arpit.keystore getting created in the same folder where you have executed it.

You can copy the arpit.keystore into the $ORACLE_HOME/j2ee/home/config

Nnow again

  1. Copy default-web-site.xml to secure-web-site.xml

  2. Edit the secure-web-site.xml: 2.1. Change the web-site tag by changing the port to 4443 and adding the element secure="true" 2.1. Add the ssl-config element and point this to the new created keystore. The file looks like:

... ...

  1. Import the new Web site in your OC4J instance by editing the $ORACLE_HOME/j2ee/home/server.xml file. You need to add or replace the web-site tag. In

... ...

Since we have copied the file from the default-web-site, all applications are available using HTTP and HTTPS

Now Start OC4J and test the HTTPS port.

It should work.This is for standalone container

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Can you give me some examples in .net ?
1)forums.asp.net/t/1643729.aspx/1 and 2)codeproject.com/KB/WCF/9StepsWCF.aspx
1

I would secure it by making sure the request is from the same session that the page is served in. You can do this by issuing a signed cookie when you return the page that contains that javascript that is going to callback into your web service. When your page makes the ajax call, it will include this signed cookie, which you can validate within your web method before returning any results. To prevent cookie spoofing, store a unique tokenID in your session and make that tokenID part of your cookie. If the tokenID's do not match, don't process the web method (just return an error).

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.